IN_GPO

Summary

Description

IN_GPO indicates that a script is included within a Group Policy Object (GPO), allowing it to run on domain-joined computers during logon/logoff and startup/shutdown events. Because GPOs serve as a central system for configuring and enforcing settings on many machines, a script marked with IN_GPO can perform all tasks permitted by these policies such as installing software, modifying registry entries, or updating security controls across the network. This is extremely useful for administrators who want to ensure consistent and automated configuration management throughout the domain.

However, if these scripts are misused or altered, they can become a serious security threat. Attackers who successfully insert malicious code into scripts marked IN_GPO could gain the same level of control as the script itself, allowing them to spread harmful programs, disable security features, or permanently change critical system settings. Therefore, maintaining the security and integrity of scripts in GPO is essential.

Identification

PowerShell

Group Policy Module

Using the GroupPolicy PowerShell module, you can enumerate GPOs containing logon/logoff/startup/shutdown scripts.

Function: Find-IN_GPO

function Find-IN_GPO {
    [CmdletBinding()]
    param (
        [string]$GPOGuid = $null,             # Specific GPO GUID to scan
        [string]$OutputPath = "GPOScripts.csv" # Output CSV path
    )

    # Load GroupPolicy module if not already loaded
    if (-not (Get-Module -Name GroupPolicy)) {
        Write-Host "Attempting to load GroupPolicy module..."
        try {
            Import-Module GroupPolicy
            Write-Host "GroupPolicy module loaded successfully."
        }
        catch {
            Write-Error "Failed to load GroupPolicy module. Please ensure RSAT-GroupPolicy is installed."
            return
        }
    }

    function Get-GPOScriptDetails {
        param ([Microsoft.GroupPolicy.Gpo]$GPO)
        $results = @()
        try {
            [xml]$report = Get-GPOReport -Guid $GPO.Id -ReportType Xml
            foreach ($context in @("Computer", "User")) {
                $data = $report.GPO.$context.ExtensionData | Where-Object { $_.Name -eq 'Scripts' }
                if ($data) {
                    foreach ($script in $data.Extension.Script) {
                        $results += [PSCustomObject]@{
                            GPOName      = $GPO.DisplayName
                            GPOID        = $GPO.Id
                            ScriptType   = $script.Type
                            ScriptPath   = $script.Command
                            Parameters   = $script.Parameters
                            Context      = $context
                            LastModified = $GPO.ModificationTime
                        }
                    }
                }
            }
        }
        catch {
            Write-Warning "Error processing GPO '$($GPO.DisplayName)': $_"
        }
        return $results
    }

    if ($GPOGuid) {
        Write-Host "Scanning specific GPO with GUID: $GPOGuid"
        try {
            $gpo = Get-GPO -Guid $GPOGuid -ErrorAction Stop
            $allScripts = Get-GPOScriptDetails -GPO $gpo
        }
        catch {
            Write-Error "Failed to retrieve GPO with GUID $GPOGuid: $($_.Exception.Message)"
            return
        }
    }
    else {
        Write-Host "Scanning all GPOs in the domain..."
        try {
            $allGPOs = Get-GPO -All -ErrorAction Stop
            $allScripts = $allGPOs | ForEach-Object { Get-GPOScriptDetails -GPO $_ }
        }
        catch {
            Write-Error "Failed to enumerate GPOs: $($_.Exception.Message)"
            return
        }
    }

    if ($allScripts.Count -gt 0) {
        Write-Host "Found $($allScripts.Count) script entry(ies) in GPO(s)."
        try {
            $allScripts | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 -ErrorAction Stop
            Write-Output "Results exported successfully to '$OutputPath'"
        }
        catch {
            Write-Error "Failed to export results to CSV file '$OutputPath': $($_.Exception.Message)"
        }
    }
    else {
        Write-Output "No scripts found in GPO(s)."
    }
}

Usage Examples:

1. Scan all GPOs in the domain

2. Scan a specific GPO by GUID

3. Save results to a custom path

Group Policy Management Editor (GUI)

1. Open Group Policy Management Editor.

2. Expand Computer Configuration or User Configuration.

3. Expand Windows Settings → Scripts.

4. Double-click the script policy.

5. Review scripts listed under Scripts and PowerShell Scripts tabs.

6. Click OK to close.

Exploitation

This permission can be exploitable on Windows systems, while on Linux systems, tools such as impacket tools can be effectively used for exploitation.

An attacker can abuse IN_GPO by inserting a malicious PowerShell or batch script into a logon/logoff or startup/shutdown script section of a Group Policy Object. Since these scripts are executed automatically on all domain-joined machines affected by the GPO, this provides a reliable way to achieve code execution at scale.

Attacker could add the following command to a logon script to download and execute a payload from a remote server.

When the GPO refreshes on target machines, the malicious payload will be executed without user interaction, granting the attacker remote code execution across multiple systems.

On Linux systems, impacket tools can be used to gain remote access and trigger execution of the injected script:

In example:

After gaining a shell, the attacker can also force an immediate GPO update with:

Mitigation

You can mitigate IN_GPO with following steps:

1. Open Group Policy Management Editor.

2. Expand the Configuration (User or Computer)

3. Expand windows settings then click Scripts

4. Double click to the script policy.

5. In the scripts and PowerShell Scripts list, locate and remove scripts.

6. Click OK to close the dialogs.

Detection

Adding new Access Control Entries on the Active Directory objects changes the ntSecurityDescriptor attribute of the objects themselves. These changes can be detected with the 5136 and 4662 Event ID's to identify dangerous modifications. During Group Policy processing, the Scripts client-side extension is responsible for launching not only computer startup and shutdown scripts but also user logon and logoff scripts.Event ID 1130 is during Group Policy processing, the Scripts client-side extension is responsible for launching not only computer startup and shutdown scripts but also user logon and logoff scripts.

References

• Hidden Menace: How to Identify Misconfigured and Dangerous Logon Scripts - OffSec Blog

• Using Logon Scripts for Active Directory - Redmondmag